Anthos Service Mesh uses sidecar proxies to enhance network security, reliability, and observability. These functions are abstracted away from the application's primary container and implemented in a common out-of-process proxy (the sidecar), delivered as a separate container in the same Pod. This provides the Anthos Service Mesh's features without redesigning your production applications to participate in a service mesh.
Automatic sidecar proxy injection (auto-injection) occurs when Anthos Service Mesh detects a namespace label you configure for the workload's Pod. The proxy intercepts all inbound and outbound traffic to the workloads and communicates with Anthos Service Mesh.
Permissions required for these tasks
To perform the tasks on this page, you must have the
roles/container.clusterAdmin or a higher role. See
Google Kubernetes Engine roles for
details on the permissions included in this role.
Enabling automatic sidecar injection
The recommended way to inject sidecar proxies is to use the webhooks-based
automatic sidecar injector, although you can manually update your Pods'
Kubernetes configuration. To inject your Pods with the sidecar proxy, you
configure auto-injection by labeling your namespaces with the same revision
label that you set on
istiod when you installed Anthos Service Mesh.
To enable auto-injection:
Use the following command to locate the revision label on
kubectl -n istio-system get pods -l app=istiod --show-labels
The output looks similar to the following:
NAME READY STATUS RESTARTS AGE LABELS istiod-asm-186-8-5788d57586-bljj4 1/1 Running 0 23h app=istiod,istio.io/rev=asm-186-8,istio=istiod,pod-template-hash=5788d57586 istiod-asm-186-8-5788d57586-vsklm 1/1 Running 1 23h app=istiod,istio.io/rev=asm-186-8,istio=istiod,pod-template-hash=5788d57586
In the output, under the
LABELScolumn, note the value of the
istiodrevision label, which follows the prefix
istio.io/rev=. In this example, the value is
Apply the revision label to namespaces and remove the istio-injection label (if it exists). In the following command,
NAMESPACEis the name of the namespace where you want to enable auto-injection, and
REVISIONis the revision label you noted in the previous step.
kubectl label namespace NAMESPACE istio-injection- istio.io/rev=REVISION --overwrite
You can ignore the message
"istio-injection not found"in the output. That means that the namespace didn't previously have the
istio-injectionlabel, which you should expect in new installations of Anthos Service Mesh or new deployments. Because auto-injection fails if a namespace has both the
istio-injectionand the revision label, all
kubectl labelcommands in the Anthos Service Mesh documentation include removing the
Restart the affected pods, using the steps in the next section.
Restart Pods to update sidecar proxies
With automatic sidecar injection, you can update the sidecars for existing Pods with a Pod restart:
How you restart Pods depends on if they were created as part of a Deployment.
If you used a Deployment, restart the Deployment, which restarts all Pods with sidecars:
kubectl rollout restart deployment -n YOUR_NAMESPACE
If you didn't use a Deployment, delete the Pods, and they are automatically recreated with sidecars:
kubectl delete pod -n YOUR_NAMESPACE --all
Check that all the Pods in the namespace have sidecars injected:
kubectl get pod -n YOUR_NAMESPACE
In the following example output from the previous command, notice that the
READYcolumn indicates there are two containers for each of your workloads: the primary container and the container for the sidecar proxy.
NAME READY STATUS RESTARTS AGE YOUR_WORKLOAD 2/2 Running 0 20s ...
Learn more about: